Skip to Content
Author's profile photo Murali Shanmugham

Setting up Authentication for Cloud Portal using Cloud Identity – V

This blog is part of a series which is related to setting up Cloud Identity to authenticate Cloud Portal in different scenarios.

Setting up Authentication for Cloud Portal using Cloud Identity

Part 1 – Setting up SCI as IdP for a vendor facing Cloud Portal

Part 2 – Using Social Identity Providers to access Cloud Portal

Part 3 – Setup Self-registration form

Part 4 – Manage Cloud Portal Catalogs and roles

Part 5 – Mapping of groups between SCI and Cloud Portal

Part 6 – Setup 2FA for Cloud Portal access


In the previous blog, we saw how to create roles and assign them manually to users within the Cloud Portal.In real world scenario, it is unlikely that we would be adding each user to these custom HCP roles. Assume, if there are 1000’s of users and managing this assignment within the Cloud Portal configuration section would become cumbersome. In this blog, I am going to show how we can map users to groups and manage this more efficiently.

Creation of Groups in HCP Cockpit

When dealing with large user volumes, it is recommended to have groups to manage the user access. Navigate to the “Authorization” menu of the HCP cockpit and create two groups – Employee & Manager. Assign the respective HCP roles as shown below.

                   

Creation of Groups in Cloud Identity

Login to SCI as an administrator click on “User Groups” tile

                   

Navigate back to the “User Management” tile and edit the Employee User to assign this user to the newly created SCI User Group.

                   

In the next blog, we shall see how to setup and use Two-Factor Authentication (2FA) in SCI to access the Cloud Portal.

Assigned tags

      8 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Parag Jain
      Parag Jain

      Thank you for blog, I was wanting to do this for a long time and your blog helped me close this quickly.

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Hi Parag, Thanks for your feedback.

      Author's profile photo Jacques-Antoine Ollier
      Jacques-Antoine Ollier

      Currently this is the best blog I read on SCI!

      Very good job @Murali Shanmugham!!!

      Thank you very much for this precious information.

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Thanks for the feedback 🙂

       

      Author's profile photo Juan Alejandro Knight
      Juan Alejandro Knight

      Very good post. Just one comment. I have tested a similar scenario with a user assigned to two different groups. I have mapped the SCP groups to the SCI user groups using regular expression and it works fine.

      The is a curious detail. Although the SAML Assetion Attribute is called “groups” this is quite misleading. I have called the User API to display the values of the assertion attributes for the current user. Strangely, the field "groups" comes with only one group key although in SCI it has assigned two user groups. I expected this field to return the groups delimitted by a comma or something of that sort.

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Hi Juan,

      Thanks. Can you please provide the details of the user API which you are using. If I try to query the SCI user details using https://<Cloud_Identity_Tenant>/service/scim/Users/<USER_ID> this shows me the list of all groups assigned to a particular user.

      Author's profile photo Juan Alejandro Knight
      Juan Alejandro Knight

      Hi Murali,

      I was using the User API "/services/userapi" in SCP (not in Cloud Identity) mentioned in this blog.

      That API only returns one group in the "groups" SAML Assertion attribute

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Hi,

      Did you try setting the "multiValuesAsArrays" URL parameter to true. If it doesn't help, I would suggest you raise a question in the forum.

      Thanks,